On SMS logins: an example from Telegram in Iran

Jan 14, 2016

Most mobile messaging apps these days use SMS as a login technique. It’s really convenient because it doesn’t require the user to remember yet another username or identifier and telcos are taking care of the identity management such as re-assigning the phone number to you if you lose your phone.

SMS are trivial to intercept for your telecom provider. And in almost all countries, they are actively cooperating with the state to help intercept text messages and phone calls. But it’s not only your telecom provider, devices like IMSI catchers provide a cheap and efficient way of intercepting text messages for a local adversary.

Applications such as Telegram messenger, not only allows a user to signup with an SMS, but also enables them to log in to see previous messages. The application stores your messages, content and contacts as they disclose in their privacy policy:

We store messages, photos, videos and documents from your cloud chats on our servers, so that you can access your data from any of your devices anytime and use our instant server search to quickly access your messages from waaay back.

An attacker, that can intercept a single SMS is therefore capable of reading your messages from “waaay back”.

Attacks like that are not just theoretical. Let’s take a recent example, Iran.

Telegram has gotten a huge amount of signups in Iran and according to Durov, its founder, Iranian users constitute up to 20% of their user base.

When Telegram was getting some traction over the summer (June 2015), Iranian users started getting unsolicited login messages to sign into the Telegram website, which were believed to be related to a Telegram interception program operated by Iranian intelligence. Check the replies to this tweet:

Over the past few months, there has been a lot of chatter about the relationship between Telegram and Iran. It is widely known that Iran blocks services that blinds their intelligence branches and that are unwilling to cooperate. Durov repeatedly came out claiming that they were not collaborating with Iran outside of blocking porn and jihadi channels (for public content), which they are doing worldwide.

These are probably just a few examples of hacked channels. Unlike surveillance, censorship can be observed. It’s only because Iran started deleting popular channels that it became clear that they were hacking into Telegram accounts but how many activists got arrested over Telegram discussions that were intercepted? That is significantly more difficult to evaluate.

Despite good intentions, it’s becoming clearer that a good number of activists who trusted the application that branded itself as the “safest” messaging app are getting their account hacked and channels deleted.

Countries like Iran tend to be blocking applications that blinds their intelligence as they get popular. Repeated claims by the authorities that they wouldn’t block Telegram should already have sounded suspicious. If a single SMS enables you to get access to a user’s account and data, you designed your system with a backdoor that any serious adversary can exploit.

Does this affect only Telegram?

No, other services where you only need to send an SMS to log in are affected by this. But unlike Telegram, a lot of other messaging applications don’t store your messages and content server-side.

This is a reminder for all users of messaging apps in risky environment, verify fingerprints.

SMS activation in most messaging apps can be compared to your server sign in for Jabber when using OTR. It is just your login to the message server, unless you verify fingerprints, you are still at risk of interception.

Mitigations:

Or just move to an application that won’t store plaintext messages on their servers if you’re operating in such a risky environment.

Note on two-factor authentication

Because of the weaknesses of the SMS protocol, it’s generally safer to setup two-factor authentication with a YubiKey or TOTP (such as Google Authenticator). Unfortunately, many services don’t let you opt-out of SMS fallback for second factor authentication.

Disclosure: I have previously worked on encrypted messaging software.

Update I: Telegram clarified that one of the mentioned channels was deleted because of inactivity.

@CDA@Ammir@KevinMiston This channel got deleted because it was created by an inactive account that was set to self-destruct by its owner.